[squid-users] [squid-dev] [RFC] Changes to http_access defaults

Alex Rousskov rousskov at measurement-factory.com
Thu Apr 13 16:39:35 UTC 2017


On 04/13/2017 09:58 AM, Yuri Voinov wrote:
> 13.04.2017 21:14, Dan Purgert пишет:

>> How would a "built-in default" alter an existing setup? I mean, in
>> every other instance that I can think of, if the config file includes
>> the directive, the config file's version overrides the default ...

> This is normal behaviour. System administrator should have possibility
> to override ANY default.

That much is understood. What is not yet clear are the exact conditions
under which those defaults disappear. This is one of the two primary
questions the RFC does not answer yet (the other one being what exactly
this change is actually trying to accomplish).

"Normally", foo_bar defaults disappear at the first sign of an explicit
foo_bar rule in squid.conf. However, that will probably defeat the
(unspecified) purpose of supporting http_access defaults because every
Squid needs non-default http_access rules!

The suspected uselessness of "normal" behavior is exactly why those two
questions must be answered in the updated version of the RFC.

My earlier response sketched one way to add http_access defaults that do
not disappear so easily that they become useless (see
deny_unsafe_ports), but that idea has its own serious flaws. The "many
folks misconfigure access rules" problem may not have a good solution
(under Squid control); we should be careful not to make things worse
while not solving the unsolvable problem.

Alex.



More information about the squid-users mailing list